Iran’s Cyber Proxies Launch Multi-Vector Retaliation Against Western Networks

5 Min Read / March 10, 2026

Iran’s cyber offensive capability has shifted into high gear following joint US-Israeli military strikes in late February 2026. Multiple Iranian state-linked groups and hacktivist proxies are now conducting coordinated cyberattacks against Western targets, including critical infrastructure, government networks, and private sector entities across the United States and Europe.

According to Palo Alto Networks’ Unit 42, Iran-backed groups have expanded their global cyber operations using distributed denial-of-service attacks, website defacement, and destructive malware campaigns that combine data exfiltration with permanent system destruction. The timing suggests coordinated retaliation rather than opportunistic criminal activity.

Internet Blackout Hampers State Operations, Proxies Fill the Gap

Iran’s domestic internet connectivity collapsed to between 1-4 percent following the February 28 strikes, severely limiting the operational capacity of state-backed Advanced Persistent Threat groups based inside the country. However, this has not reduced the overall threat level. Instead, Iranian officials have activated an extensive network of proxy groups and overseas operatives to conduct retaliatory cyber operations.

Unit 42 researchers have observed the formation of an “Electronic Operations Room” established on February 28, coordinating at least 60 individual hacktivist groups, including pro-Russian entities that have aligned with Iranian objectives. Key Iranian personas include Handala Hack, linked to Iran’s Ministry of Intelligence and Security, which has claimed responsibility for compromising an Israeli energy exploration company and Jordan’s fuel systems.

The operational silence from some established Iranian hacktivist groups since January 2026 suggests they may be engaged in active campaigns rather than dormant, according to threat intelligence firm Halcyon. This pattern historically indicates ongoing operations rather than reduced activity.

Destructive Campaigns Target US Critical Infrastructure

Iranian cyber actors are deploying increasingly destructive tactics that blur the line between criminal extortion and state-sponsored sabotage. Halcyon has identified Iranian APT group Muddy Water conducting “Operation Olalampo,” a structured cyber offensive targeting the Middle East, Turkey, and Africa regions with tactics that overlap with other Iranian-aligned campaigns.

A new ransomware variant called Sicarii has emerged with a critical flaw that makes data recovery impossible even for its operators — the malware discards its own encryption keys after encrypting files. Unlike conventional ransomware-as-a-service operations that aim for profit, Sicarii appears designed for permanent data destruction disguised as extortion attempts.

CISA has warned that Iranian state hackers routinely target poorly secured US networks and internet-connected operational technology devices. The agency notes that recent Iranian state-sponsored activity includes malicious cyber operations against operational technology devices by Islamic Revolutionary Guard Corps-affiliated APT actors.

Camera Networks Compromised for Battle Damage Assessment

Check Point researchers have documented a surge in exploitation attempts against IP cameras from Dahua and Hikvision across Israel and Gulf countries including the UAE, Qatar, Bahrain, and Kuwait. The attacks weaponise multiple vulnerabilities including CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.

These camera compromises serve a dual purpose beyond traditional espionage. Check Point assesses that Iran leverages camera networks for operational support and battle damage assessment for missile operations, potentially serving as early indicators of follow-on kinetic activity. “Tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity,” the company warned.

Swedish Manufacturing Faces Heightened Risk

Sweden’s manufacturing sector has emerged as a primary target, representing 36.36 percent of ransomware attacks in the Nordic region during 2024 according to SOCRadar intelligence. Swedish companies now face a perfect storm of geopolitical targeting due to the country’s NATO membership and advanced industrial base.

The targeting extends beyond opportunistic attacks. Swedish defence contractors and companies with Israeli partnerships face elevated risk, according to CISA’s latest advisories. Defence Industrial Base companies with holdings or relationships involving Israeli research and defence firms are at particular risk of Iranian cyber operations.

Major Swedish incidents in recent months include the Tietoevry attack that disrupted 120 government agencies and the Vestas Wind Systems breach that exposed employee data on dark web markets. The pattern suggests systematic targeting rather than random selection.

Recommendations for Nordic Companies

CrowdStrike’s Counter Adversary Operations head Adam Meyers warns that Western organisations should “remain on high-alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations.” The recommendation is not theoretical — Iranian groups have already demonstrated willingness to deploy destructive malware against perceived adversaries.

Critical steps include limiting internet exposure of operational technology systems, implementing phishing-resistant multi-factor authentication, enforcing network segmentation, and ensuring offline backups remain accessible. Companies should also validate and prepare to respond to claims of data breaches, as threat actors increasingly use false claims to generate media attention and advance political narratives.

The FBI recommends reviewing its June 2025 fact sheet on Iranian cyber threats, noting that these actors typically exploit unpatched vulnerabilities, default passwords, and internet-connected industrial control systems. The guidance takes on new urgency given the current operational tempo of Iranian cyber proxies.

References

This post is also available in: Svenska